Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How...
-
Upload
riley-atkinson -
Category
Documents
-
view
216 -
download
1
Transcript of Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How...
![Page 1: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/1.jpg)
Public Key Infrastructureand Applications
![Page 2: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/2.jpg)
Agenda
PKI Overview Digital Signatures
What is it? How does it work?
Digital Certificates Public Key Infrastructure
PKI Components Policies
Internet Security Web Security with SSL
Smart Cards Email signing – S/MIME
![Page 3: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/3.jpg)
What’s the problem?
Information over the Internet is Free, Available, Unencrypted, and Untrusted.
Not desirable for many Applications Electronic Commerce Software Products Financial Services Corporate Data Healthcare Subscriptions Legal Information
![Page 4: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/4.jpg)
Multiple Security Issues
PrivacyPrivacy
IntegrityIntegrity
AuthenticationAuthentication
Non-repudiationNon-repudiation
Interception Spoofing
Modification Proof of parties involved
![Page 5: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/5.jpg)
Security Algorithms
Symmetric Algorithms
Triple-DES, DES, CAST, RC2, IDEA
Public Key Algorithms
RSA, DSA, Diffie-Hellman, Elliptic Curve
Hashing Algorithms
SHA-1, MD5, RIPEMD
![Page 6: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/6.jpg)
Symmetric Key Encryption
If any one’s key is compromised, all keys need to be replaced
Not practical or cost effective for Internet environments
INTERNET
![Page 7: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/7.jpg)
Public Key Cryptography
Public
Encryption
Original
DocumentEncrypted
DocumentPrivate
Decryption
Original
DocumentSender Receiver
Public-Key Cryptography is an encryption scheme that uses mathematically related, but not identical keys.
Each user has a key pair (public key/private key).
Information encrypted with the public key can only be decrypted using the private key.
![Page 8: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/8.jpg)
What is a Digital Signature ?
A Digital Signature is the result of encrypting the Hash of the data to be exchanged.
A Hash (or Message Digest) is the process of mathematically reducing a data stream down to a fixed length field.
The Hash uniquely represents the original data.
The probability of producing the same Hash with two sets of different data is <.001%.
Signature Process is opposite to Encryption Process
Private Key is used to Sign (encrypt) Data
Public Key is used to verify (decrypt) Signature
![Page 9: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/9.jpg)
Digital Signature Process
Step 1. Hash (digest) the data using one of the supported Hashing algorithms, e.g., MD2, MD5, or SHA-1.
Step 2. Encrypt the hashed data using the sender’s private key.
Step 3. Append the signature (and a copy of the sender’s public key) to the end of the data that was signed.
DataHash
EncryptHash
Digital Signature
Digital Signature
Private
Step 1. Step 2.
Step 3.
Public
![Page 10: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/10.jpg)
Signature Verification Process
Step 1. Hash the original data using the same hashing algorithm.
Step 2. Decrypt the digital signature using the sender’s public key. All digital signatures contain a copy of the signer’s public key.
Step 3. Compare the results of the hashing and the decryption. If the values match then the signature is verified. If the values do not match, then the data or signature was probably modified in transit.
DataHash
Decrypt
Hash
Digital Signature
Public Key
Step 2.
Step 3.
Hash
Step 1.
![Page 11: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/11.jpg)
The Critical Questions
How can the recipient know with certainty the sender’s public key? (to validate a digital signature)
How can the sender know with certaintythe recipient’s public key? (to send anencrypted message)
![Page 12: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/12.jpg)
Digital Certificates
Before B accepts a message with A’s Digital Signature, B wants to be sure that the public key belongs to A and not to someone masquerading as A on an open network
One way to be sure, is to use a trusted third party to authenticate that the public key belongs to A. Such a party is known as a Certification Authority (CA)
Once A has provided proof of identity, the Certification Authority creates a message containing A’s name and public key. This message is known as a Digital Certificate.
~~~~~~~~~~~~
DigitalSignature Before two parties exchange data
using Public Key cryptography, each wants to be sure that the other party is authenticated
![Page 13: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/13.jpg)
Digital Certificates
A Digital Certificate is simply an X.509 defined data structure with a Digital Signature. The data represents who owns the certificate, who signed the certificate, and other relevant information
Version #Serial #
Signature AlgorithmIssuer Name
Validity PeriodSubject Name
Subject Public KeyIssuer Unique ID
Subject Unique IDExtensions
Digital Signature
X.509 Certificate
CA Authorized
When the signature is generated by a Certification Authority (CA), the signature can be viewed as trusted.
Since the data is signed, it can not be altered without detection.
Extensions can be used to tailor certificates to meet the needs of end applications.
![Page 14: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/14.jpg)
Certificate Life Cycle
Key pair generated
Certificate issued
Key pair in use Private keycompromised
Certificaterevoked
Certificate expires
Key pair lifetime exceeded?
New keypair
generatedRe-certify
![Page 15: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/15.jpg)
Certificate Revocation Lists
CA periodically publishes a data structure called a certificate revocation list (CRL).
Described in X.509 standard. Each revoked certificate is identified in a
CRL by its serial number. CRL might be distributed by posting at
known Web URL or from CA’s own X.500 directory entry.
![Page 16: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/16.jpg)
PKI Players
Registration Authority (RA) to identity proof users
Certification Authorities (CA) to issue certificates and CRL’s
Repositories (publicly available databases) to hold certificates and CRLs
![Page 17: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/17.jpg)
Certification Authority (CA)
Certification Authority
Trusted (Third) Party
Enrolls and Validates Subscribers
Issues and Manages Certificates
Manages Revocation and Renewal of Certificates
Establishes Policies & Procedures
What’s Important Operational Experience
High Assurance Security Architecture
Scalability
Flexibility
Interoperability
Trustworthiness
Certification Authority = Basis of Trust
![Page 18: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/18.jpg)
Registration Authority (RA)
Enrolling, de-enrolling, and approving or rejecting requested changes to the certificate attributes of subscribers.
Validating certificate applications. Authorizing requests for key-pair or
certificate generation and requests for the recovery of backed-up keys.
Accepting and authorizing requests for certificate revocation or suspension.
Physically distributing personal tokens to and recovering obsolete tokens from people authorized to hold and use them.
![Page 19: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/19.jpg)
Certificate Policy (CP) is …
the basis for trust between unrelated entities
not a formal “contract” (but implied) a framework that both informs and
constrains a PKI implementation a statement of what a certificate means a set of rules for certificate holders a way of giving advice to Relying Parties
![Page 20: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/20.jpg)
Public Key Security
Services
Public Key Technology
Digital Certificates
Certification Authorities
Security Management
Technology
Infrastructure
PR
IVA
CY
AU
TH
EN
TIC
AT
ION
INT
EG
RIT
Y
NO
N-R
EP
UD
IAT
ION
Public Key Technology Best Suited to Solve Business Needs
Infrastructure = Certification Authorities
![Page 21: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/21.jpg)
Authentication/Access Control
Can Public Key Technology be used to perform Authentication and Access Control?
Sure CanHow?
DigitalSignature
Using Digital Signatures
and Digital Certificates
![Page 22: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/22.jpg)
SSL Protocol
Secure Socket Layer
Applicationand so on …..
HTTP
TCP/IP Layer
Network Layer
FTP NNTP
Secure Socket Layer (SSL) is a Network Layer protocol used to secure data on TCP/IP networks.
![Page 23: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/23.jpg)
SSL 2.0 Protocol
• Browser Connects to Secure Server
CertS
{SessKeyB } CertS
{Data} SessKeyB
• Browser verifies signature on CertS
• Browser generates session key (SessKeyB)• Browser encrypts SessKeyB using CertS
• Server sends copy of Server certificate (CertS) to Browser, indicating that SSL 2.0 is enabled
• Server decrypts SessKeyB using it’s private key
• Browser and Server use SessKeyB to encrypt all data exchanged over the Internet
SSL 2.0 provides encryption between the server and the browser.
![Page 24: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/24.jpg)
SSL 3.0 with Client Authentication
• Browser Connects to Secure Server
CertS - SSL 3.0
{SessKeyB } CertS + CertB
{Data} SessKeyB
• Browser verifies signature on CertS
• Browser generates session key (SessKeyB)• Browser encrypts SessKeyB using CertS
• Browser asks operator to select a Browser certificate (CertB) to access server
• Server sends copy of Server certificate (CertS) to Browser, indicating that SSL 3.0 is enabled with client authentication
• Server verifies signature on CertB (Server can check other information as well)• Server decrypts SessKeyB using it’s private key
• Browser and Server use SessKeyB to encrypt all data exchanged over the Internet
![Page 25: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/25.jpg)
Smart Cards
Microprocessor with memory that can generate and
store keys and certificates
Different form factors and interface mechanisms
Cryptographic functions using private key are
processed on the card itself
![Page 26: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/26.jpg)
Smart Cards and PKI
Smart cards are «certificate wallets»
Secure storage for: Owner private key
Smart Cards are a «PC-in-your-Pocket» Generation of owner’s digital signature
Smart cards provide: Mobility Security Transparency
![Page 27: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/27.jpg)
Digital ID
Asymmetric key-pair public key private key
X.509 certificate ISO standard public key credentials
![Page 28: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/28.jpg)
Smart card application example:Digital Signature
![Page 29: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/29.jpg)
Smart card inheterogeneous environments
Smart cards need readers and drivers
Readers desktop or embedded (keyboard, floppy slot) optional display and keypad PC world ready for installation Mac, Unix & Linux ‘waiting’ for USB
Drivers PC/SC standard for Windows PC custom developments
![Page 30: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/30.jpg)
Pay-TV, did you know it’s PKI ?
Pay-TV systems installed worldwide 22 millions customers pay-per-view electronic purse Internet
Managed and secured with a very high proprietary secured PKI solution based on a smartcard
![Page 31: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/31.jpg)
Signed and Encrypted Email – S/MIME
S/MIME – Secure Multipurpose Internet Mail Extensions
Prevent email spoofing Helps preventing forged email Helps preventing spam
Protect sensitive messages & documents Secure business processes
Signed messages S/MIME-based applications
![Page 32: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/32.jpg)
Using PKI Certificates in Outlook (1)
Open Outlook. Select Tools from the main menu then choose Options from the drop-down menu.
1
![Page 33: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/33.jpg)
Using PKI Certificates in Outlook (2)
Click on the Security tab.
2
![Page 34: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/34.jpg)
Using PKI Certificates in Outlook (3)
Click the Settings button.
3
![Page 35: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/35.jpg)
Using PKI Certificates in Outlook (4)
4In the Security Settings Name field, enter a name for the new Security Setting .
Type S/MIME in the Secure Message Format field.
Click the Choose button next to the Signing Certificate field.
![Page 36: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/36.jpg)
Using PKI Certificates in Outlook (5)
Click on the certificate issued by C3 Mail CA. This is your Email Signing certificate. Click OK.
5
![Page 37: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/37.jpg)
Using PKI Certificates in Outlook (6)
Choose SHA1 from the Hash Algorithm drop down menu.
Click on the Choose button next to the Encryption Certificate field.
6
![Page 38: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/38.jpg)
Using PKI Certificates in Outlook (7)
Click on the certificate issued by C3 Mail CA. This is your Email Encryption certificate. Click OK.
7
![Page 39: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/39.jpg)
Using PKI Certificates in Outlook (8)
Choose 3DES from the Encryption Certificate drop down box.
Check all 3 boxes in the Change Security Settings window.
Click OK.
8
![Page 40: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/40.jpg)
Using PKI Certificates in Outlook (9)
Click the Apply button then click OK.
9
![Page 41: Public Key Infrastructure and Applications. Agenda PKI Overview Digital Signatures What is it? How does it work? Digital Certificates Public Key Infrastructure.](https://reader035.fdocuments.us/reader035/viewer/2022062618/55148c40550346ea6e8b4f50/html5/thumbnails/41.jpg)
Questions?